General Information of Malware
Definition of Malware
Malware, also known as malicious code, is short for malicious software and is used to
broadly referring to any software that is unauthorized and covertly inserted into a computer
system with the intent of compromising the confidentiality, integrity, or availability of the
victim’s data, applications, or operating systems or otherwise annoying or disrupting the victim.
In the 1980s, malware was occasionally a nuisance or inconvenience to individuals and
organizations; today, malware is the most significant external threat to most systems,
causing widespread damage and disruption and necessitating extensive recovery efforts
within most organizations.
Motivations of Malware Creation
Malware writers can have various reasons for creating and spreading malware. The
following are common reasons:
1.
2.
3.
4.
5.
6.
7.
Fun/Hobby/Spreading of ideological
Some malware writers consider their creations to be works of art, and see malware
writing as a creative hobby.
Jocks/Pranks
Pranks are harmless that merely display an annoying message to programs that can
destroy files or disable a computer altogether.
Showing computing knowledge/ Gaining respect
A widely spread malware and is observed by mass media can show malware
writers’ knowledge and gain great respect in a small group of like-minded people.
Industrial espionage
Obtaining secret information about a company by using weaknesses and defects in
the company's IT-system is something that is quite common today.
Experimental/ Research/Proof of Concepts
Malware are written in laboratories and research facilities for experimental or
research purpose. Most of these malware do not spread. Usually malware in labs
and research facilities test systems is called in-the-field. Others malware that have
been found infecting users’ computers worldwide in real world are called in-thewild.
Vandalism/Graffiti
The intentional destruction of property is popularly referred to as vandalism. It
includes behavior such as breaking windows, slashing tires, spray painting a wall
with graffiti, and destroying a computer system through the use of a computer
malware. Vandalism is a malicious act and may reflect personal ill will, although
the perpetrators need not know their victim to commit vandalism.
Revenge
There are always employees who are not particularly satisfied with their employer.
When a programmer or system administrator about to be fired from a job may
leave behind backdoors or software "time bombs" that will allow them to damage
Page 1 of 15
8.
9.
the former employer's systems or destroy their own earlier work.
Malware are used to attack the products of specific companies or web sites.
According to the FBI, revenge from employees is a very common reason for ITrelated crimes.
Political message
Malware which infects executable files on compromised computers and displays a
political message when launched. This type of malware usually targets particular
government organizations.
Profit/Financial gain/Extortion
Most malware writers motivated by profit/financial gain are more and more likely
to be working with spammers and hackers. One of the most common methods is
by stealing sensitive information which is then sold on the black market to
criminal organizations to make a profit.
Some Malware will encrypt some of your files on your computer then it leaves a
message to contact a certain email address with a reference number so that you can
buy back your own files.
Life Cycle of a Malware
1.
2.
3.
4.
Creation
Prior to today, creating a malware required knowledge of a computer
programming language. Today anyone with basic programming knowledge with
Internet access can create a malware. There are many web sites provide malware
source codes downloads and instructions showing interested people how to create
and to spread malicious code. They also encourage individuals to develop their
own harmful version of already existing, and tried-and-tested malicious programs.
Kits are malware-generating applications that often provide users the option to
create customized malware. Most kits can produce multiple variations of a
malware. Many have been used to generate new variants of existing worms.
Replication and Propagation
Malware propagate in a number of ways. Worms may spread via email, instant
messengers, or network shares. Viruses replicate within a system, while some
viruses also have automatic propagation techniques similar to worms. Trojans.
While not having any automatic form of replication and propagation, are
nevertheless available all over the Internet, and the links to download them from
may be included in email messages, or other Web sites.
Activation
Most malware perform their malicious activities upon execution. Some have
certain payloads that are activated only at a certain trigger date, or with the onset
of a specific trigger condition.
Discovery
This phase does not always follow activation (but typically does). When a malware
is detected and isolated, it is sent to the ICSA (International Computer Security
Association) in Washington, D.C., to be documented and distributed to antivirus
software developers. However, with the rapid development of technology, and the
ease by which malware authors create their programs, most malware are released
Page 2 of 15
5.
6.
to unsuspecting users even before they are discovered by the "authorities". This is
all the more reason to protect your system from the threats that surround the
computing world today.
Assimilation
At this point, antivirus software developers modify their software so that it can
detect the new malware. This can take anywhere from several hours to several
days, depending on the developer and the malware type.
Eradication
If enough users install up-to-date virus protection software, any malware can be
wiped out. So far no malware have disappeared completely, but some have long
ceased to be a major threat.
Propagation Methods of Malware
1.
Network shares
A prevalent propagation method of malware today is via network shares. Malware
that propagate via network shares access target systems in the following ways:
■
Dictionary and Brute-Force Attack
Some malware are hard-coded with a list of common user names and
passwords in their body. The malware then uses this list to launch a
dictionary attack to hack into the target system.
A dictionary attack is defined as a brute-force attack in which the malware
tries out all possible combinations of user names and passwords from its
hard-coded list to access a system.
Computer users use an easy to guess user name and password may have
greater potential of unauthorized account access or unauthorized entry of the
customer’s network.
■
Exploits
Any software may contain so-called vulnerabilities, or "holes" in the
software code. Holes can be exploited by malware writers to perform
malicious routines. Software vendors usually release a patch for discovered
vulnerabilities, but it is still the user’s responsibility to make sure that
patches are installed.
Microsoft releases a Security Bulletin every month for any discovered
vulnerabilities. Customers using Microsoft applications are advised to
regularly go to the Microsoft Update Center to obtain system patches against
known Microsoft vulnerabilities.
■
Peer-to-peer (P2P) programs
Peer-to-peer (P2P) programs have become increasingly popular as the
Internet has grown increasingly diverse. Users commonly exchange files via
P2P applications. Upon installation, a user is usually asked to specify a
shared folder, the folder most commonly used to store files for sharing. It is
exactly this folder that some malware use to propagate.
Some malware drops a copy of itself in folders it assumes to be shared (such
as those with shar in its folder name), and uses an inconspicuous file name
(usually posing as a legitimate software, or as an archived image). The
Page 3 of 15
2.
3.
malware spreads when users download and execute it.
Some commonly used file names of malware copies in shared folders are The
Sims crack.EXE, DivX 7.0 final.EXE, and ACDSee 9.EXE.
■
Current user account
A malware may also use the current account to access other systems in the
network. This is possible, especially if the current user is an administrator, or
has special privileges that allow access of network folders.
Email messages
Mass-mailing malware are capable of sending out a large number of email
messages at a time to specific addresses. There are numerous mass-mailers that
have wreaked havoc, and in the process, become very publicized, due to their
ability to use social engineering to spread rapidly across the globe.
Social engineering is a method used by malware authors to entice users to
inadvertently aid the spread of these malware. Malware authors fashion email
messages that are intriguing, or pretend to be from legitimate organizations.
Unsuspecting users are made to think they have received a harmless greeting card
or a virus warning from the system administrator, when they have actually
received a mass-mailing worm.
So far, social engineering remains the only constantly successful propagation
technique a malware can have. There is no foolproof measure against social
engineering, as it manipulates common email user activity and popular interests.
The email messages of mass-mailers arrive with varying details. Some email
messages arrive with a spoofed <From> address while others use the email address
of the infected user. Some may use the email address of someone in the intended
victim’s own Address Book to make the user continuously believe that the content
is trustworthy.
The message body is usually something vague or intriguing, which encourages the
user to open the attachment to find out more. Common attachments usually have
an .EXE, .PIF, or .SCR extension.
A large-scale mass-mailing outbreak is capable of causing millions of dollars in
damage. Email servers may become clogged with the volume of emails the massmailer sends out, and at the same time, may also clog recipients’ mailboxes.
Networks may suffer congestion, and available bandwidth can be severely
reduced. Infected systems may slow down because of the mass-mailing activity,
hampering their performance and efficiency to system users.
In addition, some mass-mailers have other malicious routines called payloads.
Some mass-mailers may overwrite files, or may cause system functions to fail.
Others may perform denial of service (DoS) attacks, in which a Web site is subject
to continuous and relentless access requests, causing the server of that Web site to
break down.
Instant Messengers
The increasing popularity of instant messaging among computer users in the home
and in the business environment has turned it into one of the most recent and
effective infection vectors.
Worms may propagate via popular instant messaging services provided by Internet
giants like Yahoo, AOL, and MSN. Such worms mainly employ the following
Page 4 of 15
4
methods of propagation via instant messengers:
■
The worm sends copies of itself by using the file transfer feature of the
instant messengers.
■
Instant messages may contain links that point to another malware. Thus, once
the user clicks on a particular link displayed in an instant messenger dialog
box, a copy of the worm or any other malware is automatically downloaded
and executed on the affected system.
Other Propagation Methods
There are malware, such as Trojans and backdoor applications, which have no
inherent propagation method. They are usually manually installed by a user, or
may be downloaded (automatically or manually) from Web sites.
Although these malware usually need the presence of several components to
properly execute, when all components are present, they are capable of malicious
activities, such as stealing information from the user, or dropping and executing
other malware in the system. Others may delete files, or allow a remote user to
access the infected system.
Please perform the following preventive measures to protect systems from these
types of attacks:
■
Regularly upgrade Internet browsers. Check the browser’s Web site for
updates and patches.
■
Check browser security levels. Make sure that the sites specified as Trusted
Sites are correct, and that Security Settings are appropriate.
■
Some malware pose as harmless programs that aim to “improve” the
performance of your system, and ask to be downloaded and installed. Users
are advised to not agree to install any program that they are not comfortable
or familiar with. Verify the publisher and installer before you install them.
■
Think before clicking the Yes button on browser pop-ups. Read descriptions
and disclaimers; and know what is being agreed to.
■
Make sure that people who access the network have the appropriate
privileges, and that network shares have the appropriate permissions.
Types of Malware
The following are well-known types of malware:
1.
2.
Virus
A computer virus, commonly referred to as a virus, is a program or a piece of
executable code that has the ability to replicate its own code (self-replication) by
attaching itself to other executable files (host file infection) and are spread as files
that are copied and sent from individual to individual. In such a way that the virus
code is executed when the infected executable file is executed. Well-known viruses
include Michelangelo and CIH.
Worm
A computer worm is a self-contained program or set of programs that is able to
spread functional copies of itself or its segments to other computer systems. The
propagation usually takes place via network connections or email attachments.
Page 5 of 15
3.
4.
5.
Usually worm does not require human interaction to spread. Worm spreads via
vulnerabilities or misconfigurations in target systems. However, for a small number
of worms, some user interaction is necessary for propagation (e.g., opening an email viewer). Well-known worms include Morris Worm, Code Red, SQL Slammer,
Netsky, SoBig, CodeRed, and Sasser.
Trojan horse
A Trojan is a malware that performs a malicious action, but has no replication
abilities. Coined from Greek mythology's Trojan horse, a Trojan may arrive as a
useful file or application and seemingly harmless, but actually has some hidden
malicious intent within its code. Trojan malware usually have a payload. When a
Trojan is executed, you may experience unwanted system problems in operation,
and sometimes loss of valuable data. Well-known Trojan horses include Setiri and
Hydan.
Malicious Mobile Code
Malicious mobile code is a general term for any executable lightweight program
that is downloaded from a remote system and executed locally with minimal or no
user intervention to make your system do something that you do not want it to do.
Malicious mobile code can be an effective way of attacking systems, as well as a
good mechanism for transmitting viruses, worms, and Trojan horses to users.
Malicious mobile code differs from viruses and worms in that it does not infect
files or attempt to propagate itself. Instead of exploiting particular vulnerabilities, it
often affects systems by taking advantage of the default privileges granted to
mobile code. Popular languages for malicious mobile code include Java, ActiveX,
JavaScript, and VBScript. One of the best-known examples of malicious mobile
code is Nimda, which used JavaScript.
Combination malware (blended threat)
A Combination malware (blended threat) is an attack that bundles some of the
aspects of viruses, worms, Trojan horses and malicious code into one threat.
Blended threats use server and Internet vulnerabilities to initiate, transmit and
spread an attack. This combination of method and techniques means blended
threats can spread quickly and cause widespread damage. Characteristics of
blended threats include: causes harm, propagates by multiple methods, attacks from
multiple points and exploits vulnerabilities.
To be considered a blended thread, the attack would normally serve to transport
multiple attacks in one payload. For example it wouldn't just launch a Denial of
Service (DoS) attack — it would also install a backdoor and damage a local system
in one shot. Additionally, blended threats are designed to use multiple modes of
transport. For example, a worm may travel through e-mail, but a blended threat
could use multiple routes such as e-mail, IRC and file-sharing sharing networks.
The actual attack itself is also not limited to a specific act. For example, rather than
a specific attack on predetermined .exe files, a blended thread could modify exe
files, HTML files and registry keys at the same time — basically it can cause
damage within several areas of your network at one time.
Blended threats are considered to be the worst risk to security since the inception of
viruses, as most blended threats require no human intervention to propagate. The
well-known examples of blended threats are Lion and Bugbear.B
Page 6 of 15
6.
Attacker Tools
As part of a malware infection or other system compromise, various types of
attacker tools might be delivered to a system. These tools, which are forms of
malware, allow attackers to have unauthorized access to or use of infected systems
and their data, or to launch additional attacks. When transferred by other malware,
attacker tools can be delivered as part of the malware itself, (e.g., in a Trojan horse)
or delivered after an infection occurs. For example, a worm-infected system might
be directed by the worm to contact a particular malicious Web site, download tools
from that site, and install them on the system. The following are commonly used
attacker tools:
■
Backdoor
Backdoor is a general term for a malicious program that listens for commands
on a certain Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP) port. Most backdoors consist of a client component and a server
component. The client resides on the intruder’s remote computer, and the
server resides on the infected system. When a connection between client and
server is established, the remote intruder has some degree of control over the
infected computer. At a minimum, most backdoors allow an attacker to
perform a certain set of actions on a system, such as transferring files,
acquiring passwords, or executing arbitrary commands. Backdoors may also
have special capabilities, as follows:
□
Zombies
A zombie, sometimes called a bot, is a program that is installed on a
system to cause it to attack other systems. The most prevalent type of
zombie is a Distributed Denial of Service attack (DDoS) (agent; an
attacker can issue remote commands to many agents at once so that they
perform a coordinated attack against a target. Well-known DDoS agents
include Trinoo and Tribe Flood Network.
□
Remote Administration Tools
A remote administration tool (RAT) installed on a system enables a
remote attacker to gain access to the system as needed. Most RATs
grant full access to the system’s functions and data. This may include
the ability to watch everything that appears on the system’s screen, or to
have remote control over the system’s devices, such as webcams,
microphones, and speakers. Well-known RATs include SubSeven, Back
Orifice, and NetBus.
Both Netcat and Virtual Network Computing (VNC) can be used
legitimately as remote administration tools, or illegitimately as attack
tools.
■
Rootkit
The term rootkit comes from the Unix-based operating systems' most
powerful account -- the "root" -- which has capabilities similar to the built-in
Administrator account in Windows.
When an attacker who compromised a computer would gain root privileges
and install his or her collection of applications and utilities, known as a "kit,"
on the compromised system.
Page 7 of 15
Simply speaking, a rootkit is a set of tools used by an intruder after cracking a
computer system. These tools can help the attacker maintain his or her access
to the system and use it for malicious purposes. An attacker enters the
victim’s computer through a security loop hole, like a weak password or a
missing patch and then installs collection of tools which will provide him
backdoor(s) to remotely access the cracked system and also mask the fact that
the system is compromised.
Though not very prevalent currently other than an open source NT rootkit
called Hacker Defender, some malware programs are reportedly using rootkit
like mechanisms to hide in the bowels of Windows to evade detection and
removal.
Typically, rootkits do not exploit operating system flaws, but rather their
extensibility. Windows, for example, is modular, flexible and designed as an
easy platform upon which to build powerful applications. Rootkits created for
Windows take advantage of these same features by extending and altering the
operating system with their own suite of useful.
■
■
There are two different types of RootKit:
□
User-level Rootkit
Replaces or modifies executable programs used by system
administrators and users. Examples include Linux Rootkit (LRK)
family, Universal Rootkit, and FakeGINA
□
Kernel-level Rootkit
Manipulates the heart of the operating system, the kernel, to hide and
create backdoors. Examples include Adore and Kernel Intrusion System
Keystroke loggers
A keystroke logger, also known as a keylogger, monitors and records
keyboard use. Keystroke loggers can record the information typed into a
system, which might include the content of e-mails, usernames and passwords
for local or remote systems and applications, and financial information (e.g.,
credit card number, social insurance number (SIN), personal identification
number (PIN)). Some keystroke loggers require the attacker to retrieve the
data from the system, whereas other loggers actively transfer the data to
another system through e-mail, file transfer, or other means. Examples of
keystroke loggers are KeySnatch, Spyster, and KeyLogger Pro.
Tracking cookies
A cookie is a small data file that holds information about the use of a
particular Web site. There are two different cookies:
□
Session cookies
Session cookies are temporary cookies that are valid only for a single
Web site session.
□
Persistent cookies
Persistent cookies are stored on a computer indefinitely so that the site
can identify the user during subsequent visits.
The intended use of a persistent cookie is to record user preferences for a
single Web site so that the site can automatically customize its appearance or
Page 8 of 15
■
■
■
behavior for the user’s future visits. In this way, persistent cookies can help
Web sites serve their users more effectively.
Unfortunately, persistent cookies also can be misused as spyware to track a
user’s Web browsing activities for questionable reasons without the user’s
knowledge or consent. For example, a marketing firm could place
advertisements on many Web sites and use a single cookie on a user’s
machine to track the user’s activity on all of those Web sites, creating a
detailed profile of the user’s behavior. Cookies used in this way are known as
tracking cookies. Information collected by tracking cookies is often sold to
other parties and used to target advertisements and other directed content at
the user. Most spyware detection and removal utilities specifically look for
tracking cookies on systems.
Another way to capture and deliver a user’s private information is through the
use of Web bugs. A Web bug is a tiny graphic on a Web site that is referenced
within the Hypertext Markup Language (HTML) content of a Web page or email. The graphic has no purpose other than to collect information about the
user viewing the HTML content. Web bugs are usually invisible to users
because they typically consist of only 1 pixel. Like tracking cookies, Web
bugs are often used by marketing firms. They can collect information such as
the user’s Internet Protocol (IP) address and Web browser type and can also
access a tracking cookie. These actions enable Web bugs to be used as
spyware to create personal profiles of individual users.
Web Browser Plug-Ins
A Web browser plug-in provides a way for certain types of content to be
displayed or executed through a Web browser. Attackers sometimes create
malicious plug-ins that act as spyware. When installed in a browser, these
plug-ins can monitor all use of the browser, such as which Web sites and
pages a user visits, and report the use to an external party. Because plug-ins
are loaded automatically when a Web browser is started, they provide an easy
way to monitor Web activity on a system. Some malicious Web browser
plug-ins are spyware dialers, which use modem lines to dial phone numbers
without the user’s permission or knowledge. Many of the dialers are
configured to call numbers that have high per-minute charges, while others
make nuisance calls to numbers such as emergency services 911.
E-Mail Generators
Malware can deliver an e-mail generating program to a system, which can be
used to create and send large quantities of e-mail to other systems without the
user’s permission or knowledge. Attackers often configure e-mail generators
to send malware, spyware, spam, or other unwanted content to e-mail
addresses on a predetermined list.
Attacker Toolkits
Many attackers use toolkits containing several different types of utilities and
scripts that can be used to probe and attack systems. Once a system has been
compromised through malware or other means, an attacker might download
and install a toolkit on the system. The toolkit can then be used to further
compromise the system on which it has been installed, or to attack other
Page 9 of 15
7.
systems. Types of programs typically found in an attacker toolkit are as
follows:
□
Packet Sniffers
Packet sniffers are designed to monitor network traffic on wired or
wireless networks and capture packets. Packet sniffers generally can be
configured the sniffer to capture all packets or only those with particular
characteristics (e.g., certain TCP ports, certain source or destination IP
addresses). Most packet sniffers are also protocol analyzers, which
mean that they can reassemble streams from individual packets and
decode communications that use any of hundreds or thousands of
different protocols.
□
Port Scanners
A port scanner is a program that attempts to determine remotely which
ports on systems are open (i.e., whether systems allow connections
through those ports). Port scanners help attackers to identify potential
targets.
□
Vulnerability Scanners
A vulnerability scanner is a program that looks for vulnerabilities on
either the local system or on remote systems. Vulnerability scanners
help attackers to find hosts that they can exploit successfully.
□
Password Crackers
Various utilities are available that can crack operating system and
application passwords. Most cracking utilities can attempt to guess
passwords, as well as performing brute force attempts that try every
possible password. The time needed for a brute force attack on an
encoded or encrypted password can vary greatly, depending on the type
of encryption used and the sophistication of the password itself.
□
Remote Login Programs
Attacker toolkits often contain programs such as secure shell (SSH) and
telnet that can be used to log in to other systems remotely. Attackers can
use these programs for many purposes, such as controlling
compromised systems and transferring data between systems.
□
Attacks
Attacker toolkits often contain a variety of utilities and scripts that can
launch attacks against the local system or remote systems. The attacks
may have a variety of purposes, including compromising a system or
causing a denial of service (DoS).
Spyware
Spyware is a general term used to describe software that designed to capture
information from or take control of user computer without appropriately obtaining
users’ consent first. This software falls into a number of categories:
■
Security monitoring:
Software that may be installed legitimately to provide security or workplace
monitoring,
■
Advertising:
Software that tracks user online activities for marketing purpose and displays
Page 10 of 15
■
■
advertising through pop-up or pop-under windows while you are surfing the
Web is typically called adware.
Adware is an advertisement-focused application that installs themselves on
systems with little or no user interaction.
That does not mean all software that provides ads or tracks your online
activities is bad. For example, you might sign up for a free music service, but
you "pay" for the service by agreeing to receive targeted ads. If you
understand the terms and agree to them, you may have decided that it is a fair
tradeoff. You might also agree to let the company track your online activities
to determine which ads to show you.
Collecting personal information or sensitive information:
Software that is maliciously installed, either as a general violation of a user’s
privacy or to collect information to allow further attacks on their computer or
online transactions.
Software that collects personal information or sensitive information is called
spyware. Spyware is potentially more dangerous beast than Adware because
it can record your keystrokes, history, passwords, and other confidential and
private information.
Changing the configuration of your computer:
Some type of Software that make changes to users’ computer that can be
annoying and can cause computer slow down or crash. These programs can
change Web browser's home page or search page, or add additional
components to browser that users don't need or want. These programs also
make it very difficult to change settings back to the originally configured.
Comparison of Some Malware Types
Characteristic
Malware
Virus
Worm
Trojan Horse
Malicious Mobile Code
Tracking Cookie
Attacker Tools
Self-containing
Self-replicating
No
Yes
Yes
No
Yes
Yes
Yes
Yes
No
No
No
No
Propagation
method
User interaction
Self-propagation
N/A
N/A
N/A
N/A
Types of Payload
The term payload refers to an action that a malware performs, apart from its main
characteristics. For example, payloads for a virus include all other actions (deleting files,
reformatting the user’s hard drive) it performs apart from its propagation Methods.
Payloads can range from something that is relatively harmless to something destructive:
1.
No payload
Malware do not contain any payloads.
Page 11 of 15
2.
3.
4.
5.
Minor Payloads
■
Ejecting the CD drive
■
Displaying messages or images
■
Degrading the overall performance of your computer
■
Consuming storage space and memory
Destructive Payloads
Destructive payloads are used to refer destructive actions which can incapacitate a
user’s access to a data or programs on their computer. Some destructive payloads
examples include:
■
Encrypting user’s data
■
Damaging user’s files
■
Deleting files on the user’s computer
■
Reformatting the user’s hard drive
■
Rendering the user’s machine unbootable
Data Export Payloads
Data export payloads export the user’s data to an outside hacker. The following are
some common user data examples:
■
User passwords
■
Credit card information
■
Documents
■
Spreadsheets
■
Keystrokes
Data Import Payloads
This type of payloads can import further programs/data in order to do further
damage. Malicious program, performs this type of payloads, is a small “ stub”
which, once running, connects to the web and downloads additional malicious
code.
Commonly Used Malware Self-Preservation Techniques
1.
Stealthing
Stealthing refers to the process of concealing the presence of malware on the
infected system. The following are commonly used methods:
■
Using hidden attribute
The most popular stealthing method that is used by companion viruses
involves simply setting the "hidden" attribute of the virus file to make it less
likely that the victim will discover the file in a directory listing.
■
No increasing the size of original file
When stream companion viruses attach to a host, no new files are created,
and most tools will report that the size of the original file did not change. On
a Windows computer that uses the NTFS file system, these viruses are
included in an alternate data stream associated with some normal file on the
system.
■
Providing wholesome image
Some malware can cover-up itself by intercepting the antivirus program's
attempt to read a file, and presenting a clean version of the file to the
Page 12 of 15
2.
3.
4.
scanner. When the scanner looks at the infected file, the infected file presents
a wholesome image to the scanner.
■
Slowing down the infection rate
A malware might slow down the rate at which it infects or damages files, so
that it takes the user a long time to realize the infection.
Polymorphism
Generally speaking, polymorphism is the process through which malicious code
modifies its appearance to prevent detection without actually changing its
underlying functionality (the same malicious code can assume many forms, all
with the same function). Using this technique, the malicious code dynamically
changes itself each time it runs. The malicious code still has the same purpose, but
a very different code base. Any signatures focused on the earlier form of the
malicious code will no longer detect the new, morphed versions. The following are
commonly discovered polymorphism technique:
■
The simplest ways to implement polymorphism technique in script-based
viruses is to have the malware modify the names of its internal variables and
subroutines before infecting a new host. These names are typically chosen at
random to complicate the task of creating a signature for the malware.
■
Another way of achieving polymorphism involves changing the order in
which instructions are included in the body of the malware. This could be
tricky to implement, because the malware needs to make sure that the new
order does not change the functionality of the code. Viruses can also modify
their signature by inserting instructions into their code that don't do anything,
such as subtracting and then adding 1 to a value. These functionally inert
instructions allow the code to maintain its original function, but evade some
signature-based detection.
■
In another polymorphic technique, a virus encrypts most of its code, leaving
in clear text only the instructions necessary to automatically decrypt itself
into memory during runtime. The virus would typically use a different
randomly generated key to encrypt its body, embed the key somewhere in its
code, and vary the look of the decryption algorithm to confuse signaturebased scanners. The MtE mutation engine, released around 1992, was the
first tool for easily adding polymorphic capabilities to arbitrary malicious
code while morphing the decryptor.
Metamorphism
Metamorphism is a process that applies a variety of syntax-mutating, behaviorpreserving metamorphoses to malicious code in order to defend themselves against
static analysis based detection methods. This is often done in subtle ways to ensure
that the malicious code evades detection without losing its potency. Metamorphic
viruses often change the structure of their files by varying the location of the
mutating and encrypting routines. Additionally, metamorphic malware such as
Simile have the ability to dynamically disassemble themselves, change their code,
and then reassemble themselves into executable form.
Antivirus Deactivation
One of the ways in which malicious code attempts to protect itself is by disabling
the virus protection mechanisms on the target machine. The most prominent
Page 13 of 15
candidates for deactivation are the processes that belong to antivirus software
running on the infected system. The most successful viruses employing this
technique might get onto the system unrecognized, and then hurry to disable
antivirus software before the malware gets detected or before the user updates the
database of virus signatures.
The ProcKill Trojan is one example of a malware that contains a list of more than
200 process names that usually belong to antivirus and personal firewall programs.
Once installed on the system, ProcKill searches the list of running processes and
terminates those that it recognizes. Without the appropriate antivirus and personal
firewall processes running on the machine, the virus has free reign to infect and
alter the system.
Prevention of Malware
There are many actions that malicious code can take in an attempt to bypass security
mechanisms. Each malware can be thwarted by the followings procedures:
1.
2.
3.
4.
5.
Protecting operating system
There are may malware using system vulnerability to transfer. Keep your
operating system up to date can avoid malware into your system in the first place.
Examples are:
■
Turn on Windows auto update.
■
Adopt patches for operating system.
Protecting applications
Keep your applications up to date. Apply security patches for applications is
another way to avoid malware into your system. Examples are:
■
Regularly check and install security updates provided by your preferred
instant messaging service.
■
Regularly check and install security updates for peer-to-peer (P2P) programs.
Using antivirus software
Antivirus software solutions have grown increasingly intelligent in their abilities to
spot stealthy polymorphic code and survive simple deactivation attempts. With
anti-virus application, you'll prevent most of known malware. Examples are:
■
Install anti-virus application on email servers, file servers, and work stations.
■
Keep anti-virus application signatures and scanning engine up to date.
■
Properly configure anti-virus application to do real-time scan and scheduled
scan.
■
Don’t turn off real-time scan.
Using a firewall
Firewall can be hardware or software. Trend Micro products (OfficeScan, PCcillin Network Security) have software firewall option.
Hardening configuration
Hardening operating system and application can avoid unnecessary security issues.
Examples are:
■
Properly configure your operating system and application.
■
Secure user accounts.
Page 14 of 15
6.
■
Set up appropriate user privileges.
■
Use a secure password.
User education
With user education, most of malicious codes will be less likely to find its way
into your systems in the first place. For example:
■
Do not open email messages from unknown senders
■
Do not open email messages from known persons that appear to be a
continuation of a correspondence if the topic does not seem relevant to
typical correspondence with the sender.
■
Do not open suspicious-looking attachments, such as unrequested materials,
or materials that have no relevance to the sender or recipient.
■
Scan attached files before opening them.
■
Never accept file transfer requests from an unknown source.
■
Never click on links sent by an unknown source.
Page 15 of 15